diff options
| author | zdc <zdc@users.noreply.github.com> | 2026-07-10 18:33:10 +0300 |
|---|---|---|
| committer | Mergify <37929162+mergify[bot]@users.noreply.github.com> | 2026-07-10 15:35:14 +0000 |
| commit | 95369571744d0166141d3cd5586d73c9fff6cfd3 (patch) | |
| tree | beca8051dfcfeb6d25eaf465e604456a9dfbc891 /docs/_static/css/separate-commands.css | |
| parent | f443773a818dc726fe281e62cfcde9bfbef50049 (diff) | |
| download | vyos-documentation-mergify/bp/circinus/pr-2136.tar.gz vyos-documentation-mergify/bp/circinus/pr-2136.zip | |
docs(DMVPN): T4667: Add firewall rule to prevent unencrypted GRE leaks (#2136)mergify/bp/circinus/pr-2136
* docs(DMVPN): T4667: Add firewall rule to prevent unencrypted GRE leaks
In DMVPN the mGRE tunnel and the IPSec protecting it are handled
independently, so GRE can be forwarded while no IPSec SA is active for a
peer (e.g. while an SA is still being negotiated or after one expires),
allowing unencrypted GRE to leave the router. This is inherent to
combining GRE with IPSec and is common to DMVPN implementations in
general.
Add a "Protecting against unencrypted traffic leaks" section to the DMVPN
reference page explaining the behaviour and recommending an output filter
rule that drops GRE not matched by an outbound IPSec policy
(ipsec match-none-out). Note that this disables unencrypted GRE on the
node entirely, so coexisting plain GRE tunnels would stop working.
Apply the same rule in the Dual HUB Dual Cloud example on the VyOS nodes.
Co-authored-by: Daniil Baturin <daniil@baturin.org>
* docs(DMVPN): reflow DMVPN documentation for line length compliance
Reformat the DMVPN guide and dual-hub dual-cloud example to wrap
long lines and improve readability without changing the documented
behavior or configuration guidance.
---------
Co-authored-by: Daniil Baturin <daniil@baturin.org>
(cherry picked from commit 50acf8f188475b0554b99a739cb8ada12d51e77b)
Diffstat (limited to 'docs/_static/css/separate-commands.css')
0 files changed, 0 insertions, 0 deletions
